As firms enter a new financial year, budget allocation and expenditure gets well underway, with each department battling for a piece of the pie. Available budget is often redirected to other areas of the business to favour staff bonuses, business development and branding, leaving the IT department with little investment to cope with security threats aimed at the legal sector. The number of financial transactions that take place within law firms has made them a target for cybersecurity attacks from criminals worldwide. Therefore, IT must be considered as a tier one investment and not an afterthought which may suffer from reduced funding.
As reputation is everything, a serious breach is very likely to make significant impact on revenue, if not bankrupting firms already on an unsteady footing. The risks are real; however, firms must resist making knee-jerk reactions to the rise in threats to their sector, but instead identify a support team who can work closely alongside the firm for the long term. The firm’s leadership team must understand the risks they face; giving sole responsibility and accountability for cybersecurity to the IT team or an outsourced provider is negligent.
The ISO 27001 standard
The managing partner within a firm must be made directly responsible for its security. Of course, a team is necessary to provide the right information, but they must be the ones signing off risks as acceptable or approving budgets and controls to mitigate them. This area is really where an international security standard comes into play, such as the ISO 27001.This standard is relatively straight forward to implement; you can however drastically improve security levels by simply undertaking a risk assessment in the first instance, without worrying about needing to be fully compliant straight away.
Outside of focusing on implementing an Information Security Management System such as ISO 27001, there are a number of IT security systems that can be implemented now without fear of wasting money or over-complicating operations. The fundamentals of SPAM filters, anti-virus software and firewalls are already part of a firm’s standard protection. This list of ‘must-haves’ should also include device control and encryption, web security (content filtering), email encryption and 2-factor authentication. These are certainly controls which any risk assessment will flag up to mitigate a number of significant threats to virtually all operations, even outside of the legal space.
Finally and most importantly – the majority of attacks are focused on socially engineering members of staff. This means that the highest priority must be to train staff how to spot a potential attack and how they should respond to it. Ideally this should be done in a seminar environment to all staff with real-life examples of the potential impact of minor and major IT security breaches. If you undertake this simple step, it’s very likely that you’ll increase the level of security within your firm by 90 percent, as the majority of current attacks are focused on the human-factor, not finding open security vulnerabilities in your IT platforms. They can come via phone, through the post and in-person in the first instance, not always via an IT system.
The legal sector as a whole must implement effective information management systems and appropriate technologies to stay competitive and thrive. Putting money into these areas will protect business reputation and consequently, profitability, allowing the firm to flourish with IT as a tier one investment.
Robert Rutherford is CEO of the business and technical consultancy QuoStar